Vulnerabilities > CVE-2017-1677 - Deserialization of Untrusted Data vulnerability in IBM DB2

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
ibm
linux
microsoft
CWE-502
nessus
NVD
Published: 2018-03-22
Updated: 2018-07-07

Summary

IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999.

Vulnerable Configurations

Part Description Count
Application
Ibm
4
OS
Linux
1
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows
    NASL idDB2_1113FP3_WIN.NASL
    descriptionAccording to its version, the installation of IBM DB2 on the remote Windows host is either 9.7 prior to Fix Pack 11 Special Build 37314, 10.1 prior to Fix Pack 6 Special Build 37313, 10.5 prior to Fix Pack 10 , or 11.1.3 prior to Fix Pack 3. It is, therefore, affected by a local privilege escalation vulnerability in the DB2 JDBC driver.
    last seen2020-06-01
    modified2020-06-02
    plugin id108589
    published2018-03-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108589
    titleIBM DB2 9.7 < FP11 Special Build 37314 / 10.1 < FP6 Special Build 37313 / 10.5 < FP10 / 11.1.3 < FP3 JDBC Driver Unsafe Deserialization Local Privilege Escalation (Windows)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(108589);
  script_version("1.7");
  script_cvs_date("Date: 2019/12/18");

  script_cve_id("CVE-2017-1677");
  script_bugtraq_id(103422);

  script_name(english:"IBM DB2 9.7 < FP11 Special Build 37314 / 10.1 < FP6 Special Build 37313 / 10.5 < FP10 / 11.1.3 < FP3 JDBC Driver Unsafe Deserialization Local Privilege Escalation (Windows)");
  script_summary(english:"Checks the DB2 signature.");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by a local privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its version, the installation of IBM DB2 on the remote
Windows host is either 9.7 prior to Fix Pack 11 Special Build 37314,
10.1 prior to Fix Pack 6 Special Build 37313, 10.5 prior to Fix Pack 10
, or 11.1.3 prior to Fix Pack 3. It is, therefore, affected by a local 
privilege escalation vulnerability in the DB2 JDBC driver.");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22012896");
  # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-performs-unsafe-deserialization-in-db2-jdbc-driver-cve-2017-1677/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?af7ae113");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate IBM DB2 Fix Pack or Special Build based on the
most recent fix pack level for your branch.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1677");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("db2_and_db2_connect_installed.nbin");
  script_require_keys("SMB/db2/Installed");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("install_func.inc");
include("misc_func.inc");
include("db2_report_func.inc");

app = "DB2 Server";

# linux uses register_install, so we need to check this KB item
if(!get_kb_item("SMB/db2/Installed")) audit(AUDIT_NOT_INST, app);

install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
version = report_version = install['version'];

special_build = install['special_build'];
if (empty_or_null(special_build)) special_build = "None";
if (special_build != "None") report_version += " with Special Build " + special_build;

path = install['path'];

fix_ver = NULL;
fix_build = NULL;

if (version =~ "^9\.7\.")
{
  fix_ver = "9.7.1100.352";
  fix_build = "37314";
}
else if (version =~ "^10\.1\.")
{
  fix_ver = "10.1.600.580";
  fix_build = "37313";
}
else if (version =~ "^10\.5\.")
  fix_ver = "10.5.1000.898";
else if (version =~ "^11\.1\.")
  fix_ver = "11.1.3030.239";
else
  audit(AUDIT_INST_PATH_NOT_VULN, app, report_version, path);

vuln = FALSE;
cmp = ver_compare(ver:version, fix:fix_ver, strict:FALSE);
# less than current fix pack
if (cmp < 0)
  vuln = TRUE;
else if (cmp == 0 && !isnull(fix_build))
{
  # missing special build or less than current special build      
  if (special_build == "None" || ver_compare(ver:special_build, fix:fix_build, strict:FALSE) < 0)
    vuln = TRUE;
}

if (!vuln)
  audit(AUDIT_INST_PATH_NOT_VULN, app, report_version, path);

port = get_kb_item("SMB/transport");
if (!port) port = 445;

report_db2(
    severity          : SECURITY_WARNING,
    port              : port,
    product           : app,
    path              : path,
    installed_version : version,
    fixed_version     : fix_ver,
    special_installed : special_build,
    special_fix       : fix_build);
  • NASL familyDatabases
    NASL idDB2_1113FP3_NIX.NASL
    descriptionAccording to its version, the installation of IBM DB2 running on the remote host is either 9.7 prior to Fix Pack 11 Special Build 37314, 10.1 prior to Fix Pack 6 Special Build 37313, 10.5 prior to Fix Pack 10 Special Build 37311, or 11.1.3 prior to Fix Pack 3. It is, therefore, affected by a local privilege escalation vulnerability in the DB2 JDBC driver.
    last seen2020-06-01
    modified2020-06-02
    plugin id108588
    published2018-03-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108588
    titleIBM DB2 9.7 < FP11 Special Build 37314 / 10.1 < FP6 Special Build 37313 / 10.5 < FP10 Special Build 37311 / 11.1.3 < FP3 JDBC Driver Unsafe Deserialization Local Privilege Escalation (UNIX)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(108588);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/08");

  script_cve_id("CVE-2017-1677");
  script_bugtraq_id(103422);

  script_name(english:"IBM DB2 9.7 < FP11 Special Build 37314 / 10.1 < FP6 Special Build 37313 / 10.5 < FP10 Special Build 37311 / 11.1.3 < FP3 JDBC Driver Unsafe Deserialization Local Privilege Escalation (UNIX)");
  script_summary(english:"Checks the DB2 signature.");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by a local privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its version, the installation of IBM DB2 running on the
remote host is either 9.7 prior to Fix Pack 11 Special Build 37314,
10.1 prior to Fix Pack 6 Special Build 37313, 10.5 prior to Fix Pack 10
Special Build 37311, or 11.1.3 prior to Fix Pack 3. It is, therefore,
affected by a local privilege escalation vulnerability in the DB2 JDBC
driver.");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22012896");
  # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-performs-unsafe-deserialization-in-db2-jdbc-driver-cve-2017-1677/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?af7ae113");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate IBM DB2 Fix Pack or Special Build based on the
most recent fix pack level for your branch.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1677");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:db2");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("db2_installed.nbin");
  script_require_keys("installed_sw/DB2 Server");
  script_exclude_keys("SMB/db2/Installed");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("db2_report_func.inc");

# The remote host's OS is Windows, not Linux.
if (get_kb_item("SMB/db2/Installed")) audit(AUDIT_OS_NOT, "Linux", "Windows");

app     = "DB2 Server";
install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
port = install['port'];
if (!port) port = 0;

# DB2 has an optional OpenSSH server that will run on 
# windows.  We need to exit out if we picked up the windows
# installation that way.
if ("Windows" >< install['platform'])
  audit(AUDIT_HOST_NOT, "a Linux based operating system");

version = kb_version = install['version'];

path    = install['path'];

special_build = install['special_build'];
if (empty_or_null(special_build)) special_build = "None";
if (special_build != "None") kb_version += " with Special Build " + special_build;

fix_ver = NULL;
fix_build = NULL;

if (version =~ "^9\.7\.")
{
  fix_ver = "9.7.0.11";
  fix_build = "37314";
}
else if (version =~ "^10\.1\.")
{
  fix_ver = "10.1.0.6";
  fix_build = "37313";
}
else if (version =~ "^10\.5\.")
{
  fix_ver = "10.5.0.10";
  fix_build = "37311";
}
else if (version =~ "^11\.1\.")
  fix_ver = "11.1.3.3";
else
  audit(AUDIT_INST_PATH_NOT_VULN, app, kb_version, path);

vuln = FALSE;
cmp = ver_compare(ver:version, fix:fix_ver, strict:FALSE);
# less than current fix pack                                      
if (cmp < 0)
  vuln = TRUE;
else if (cmp == 0 && !isnull(fix_build))
{
  # missing special build or less than current special build      
  if (special_build == "None" || ver_compare(ver:special_build, fix:fix_build, strict:FALSE) < 0)
    vuln = TRUE;
}

if (!vuln)
  audit(AUDIT_INST_PATH_NOT_VULN, app, kb_version, path);

report_db2(
    severity          : SECURITY_WARNING,
    port              : port,
    product           : app,
    path              : path,
    installed_version : version,
    fixed_version     : fix_ver,
    special_installed : special_build,
    special_fix       : fix_build);

References